X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=doc%2Fman1%2Fciphers.pod;h=e29c5d7ced9369d93f2b695a1dde37b23524248e;hp=6fea82433c7ad2f72289ae49e31b6be35f72c7f9;hb=fc5ecaddd0c2aa76dfc8b9c4a7b3686cf2a3a292;hpb=f2bcff43bcd5b1e2632273ef8fea0900a15d7769 diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod index 6fea82433c..e29c5d7ced 100644 --- a/doc/man1/ciphers.pod +++ b/doc/man1/ciphers.pod @@ -2,6 +2,7 @@ =head1 NAME +openssl-ciphers, ciphers - SSL cipher display and cipher list tool =head1 SYNOPSIS @@ -20,6 +21,8 @@ B B [B<-psk>] [B<-srp>] [B<-stdname>] +[B<-convert name>] +[B<-ciphersuites val>] [B] =head1 DESCRIPTION @@ -63,47 +66,43 @@ When combined with B<-s> includes cipher suites which require SRP. =item B<-v> -Verbose output: For each ciphersuite, list details as provided by +Verbose output: For each cipher suite, list details as provided by L. =item B<-V> Like B<-v>, but include the official cipher suite values in hex. -=item B<-tls1_3> +=item B<-tls1_3>, B<-tls1_2>, B<-tls1_1>, B<-tls1>, B<-ssl3> -In combination with the B<-s> option, list the ciphers which would be used if -TLSv1.3 were negotiated. +In combination with the B<-s> option, list the ciphers which could be used if +the specified protocol were negotiated. +Note that not all protocols and flags may be available, depending on how +OpenSSL was built. -=item B<-tls1_2> - -In combination with the B<-s> option, list the ciphers which would be used if -TLSv1.2 were negotiated. - -=item B<-ssl3> +=item B<-stdname> -In combination with the B<-s> option, list the ciphers which would be used if -SSLv3 were negotiated. +Precede each cipher suite by its standard name. -=item B<-tls1> +=item B<-convert name> -In combination with the B<-s> option, list the ciphers which would be used if -TLSv1 were negotiated. +Convert a standard cipher B to its OpenSSL name. -=item B<-tls1_1> +=item B<-ciphersuites val> -In combination with the B<-s> option, list the ciphers which would be used if -TLSv1.1 were negotiated. +Sets the list of TLSv1.3 ciphersuites. This list will be combined with any +TLSv1.2 and below ciphersuites that have been configured. The format for this +list is a simple colon (":") separated list of TLSv1.3 ciphersuite names. By +default this value is: -=item B<-stdname> - -precede each ciphersuite by its standard name: only available is OpenSSL -is built with tracing enabled (B argument to Configure). + TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 =item B -a cipher list to convert to a cipher preference list. If it is not included -then the default cipher list will be used. The format is described below. +A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher +preference list. This list will be combined with any TLSv1.3 ciphersuites that +have been configured. If it is not included then the default cipher list will be +used. The format is described below. =back @@ -148,7 +147,16 @@ The cipher string B<@STRENGTH> can be used at any point to sort the current cipher list in order of encryption algorithm key length. The cipher string B<@SECLEVEL=n> can be used at any point to set the security -level to B. +level to B, which should be a number between zero and five, inclusive. +See L for a description of what each level means. + +The cipher list can be prefixed with the B keyword, which enables +the default cipher list as defined below. Unlike cipher strings, +this prefix may not be combined with other strings using B<+> character. +For example, B is not valid. + +The content of the default list is determined at compile time and normally +corresponds to B. =head1 CIPHER STRINGS @@ -156,19 +164,12 @@ The following is a list of all permitted cipher strings and their meanings. =over 4 -=item B - -The default cipher list. -This is determined at compile time and is normally -B. -When used, this must be the first cipherstring specified. - =item B The ciphers included in B, but not enabled by default. Currently this includes all RC4 and anonymous ciphers. Note that this rule does not cover B, which is not included by B (use B if -necessary). Note that RC4 based ciphersuites are not built into OpenSSL by +necessary). Note that RC4 based cipher suites are not built into OpenSSL by default (see the enable-weak-ssl-ciphers option to Configure). =item B @@ -183,19 +184,19 @@ The cipher suites not enabled by B, currently B. =item B -"high" encryption cipher suites. This currently means those with key lengths +"High" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys. =item B -"medium" encryption cipher suites, currently some of those using 128 bit +"Medium" encryption cipher suites, currently some of those using 128 bit encryption. =item B -"low" encryption cipher suites, currently those using 64 or 56 bit +"Low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. All these -ciphersuites have been removed as of OpenSSL 1.1.0. +cipher suites have been removed as of OpenSSL 1.1.0. =item B, B @@ -272,11 +273,11 @@ keys. =item B, B, B -Lists ciphersuites which are only supported in at least TLS v1.2, TLS v1.0 or +Lists cipher suites which are only supported in at least TLS v1.2, TLS v1.0 or SSL v3.0 respectively. -Note: there are no ciphersuites specific to TLS v1.1. +Note: there are no cipher suites specific to TLS v1.1. Since this is only the minimum version, if, for example, TLSv1.0 is negotiated -then both TLSv1.0 and SSLv3.0 ciphersuites are available. +then both TLSv1.0 and SSLv3.0 cipher suites are available. Note: these cipher strings B change the negotiated version of SSL or TLS, they only affect the list of available cipher suites. @@ -287,33 +288,33 @@ cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES. =item B -AES in Galois Counter Mode (GCM): these ciphersuites are only supported +AES in Galois Counter Mode (GCM): these cipher suites are only supported in TLS v1.2. =item B, B AES in Cipher Block Chaining - Message Authentication Mode (CCM): these -ciphersuites are only supported in TLS v1.2. B references CCM +cipher suites are only supported in TLS v1.2. B references CCM cipher suites using both 16 and 8 octet Integrity Check Value (ICV) while B only references 8 octet ICV. =item B, B, B -cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit +Cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit ARIA. =item B, B, B -cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit +Cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit CAMELLIA. =item B -cipher suites using ChaCha20. +Cipher suites using ChaCha20. =item B<3DES> -cipher suites using triple DES. +Cipher suites using triple DES. =item B @@ -346,7 +347,7 @@ Cipher suites using SHA1. =item B, B -Ciphersuites using SHA256 or SHA384. +Cipher suites using SHA256 or SHA384. =item B @@ -393,7 +394,7 @@ Setting Suite B mode has additional consequences required to comply with RFC6460. In particular the supported signature algorithms is reduced to support only ECDSA and SHA256 or SHA384, only the elliptic curves P-256 and P-384 can be -used and only the two suite B compliant ciphersuites +used and only the two suite B compliant cipher suites (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are permissible. @@ -444,7 +445,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA -=head2 AES ciphersuites from RFC3268, extending TLS v1.0 +=head2 AES cipher suites from RFC3268, extending TLS v1.0 TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA @@ -462,7 +463,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA -=head2 Camellia ciphersuites from RFC4132, extending TLS v1.0 +=head2 Camellia cipher suites from RFC4132, extending TLS v1.0 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA @@ -480,7 +481,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA -=head2 SEED ciphersuites from RFC4162, extending TLS v1.0 +=head2 SEED cipher suites from RFC4162, extending TLS v1.0 TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA @@ -492,7 +493,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA -=head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0 +=head2 GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0 Note: these ciphers require an engine which including GOST cryptographic algorithms, such as the B engine, included in the OpenSSL distribution. @@ -585,29 +586,35 @@ Note: these ciphers can also be used in SSL v3. ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE-ECDSA-AES128-CCM8 ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE-ECDSA-AES256-CCM8 -=head2 ARIA ciphersuites from RFC6209, extending TLS v1.2 - - TLS_RSA_WITH_ARIA_128_CBC_SHA256 ARIA128-CBC-SHA256 - TLS_RSA_WITH_ARIA_256_CBC_SHA384 ARIA256-CBC-SHA384 - TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 DHE-DSS-ARIA128-CBC-SHA256 - TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 DHE-DSS-ARIA256-CBC-SHA384 - TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 DHE-RSA-ARIA128-CBC-SHA256 - TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 DHE-RSA-ARIA256-CBC-SHA384 - TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 DH-anon-ARIA128-CBC-SHA256 - TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 DH-anon-ARIA256-CBC-SHA384 - TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 ECDHE-ECDSA-ARIA128-CBC-SHA256 - TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 ECDHE-ECDSA-ARIA256-CBC-SHA384 - TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 ECDHE-RSA-ARIA128-CBC-SHA256 - TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 ECDHE-RSA-ARIA256-CBC-SHA384 - -=head2 Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2 +=head2 ARIA cipher suites from RFC6209, extending TLS v1.2 + +Note: the CBC modes mentioned in this RFC are not supported. + + TLS_RSA_WITH_ARIA_128_GCM_SHA256 ARIA128-GCM-SHA256 + TLS_RSA_WITH_ARIA_256_GCM_SHA384 ARIA256-GCM-SHA384 + TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 DHE-RSA-ARIA128-GCM-SHA256 + TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 DHE-RSA-ARIA256-GCM-SHA384 + TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 DHE-DSS-ARIA128-GCM-SHA256 + TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 DHE-DSS-ARIA256-GCM-SHA384 + TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE-ECDSA-ARIA128-GCM-SHA256 + TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE-ECDSA-ARIA256-GCM-SHA384 + TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE-ARIA128-GCM-SHA256 + TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE-ARIA256-GCM-SHA384 + TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK-ARIA128-GCM-SHA256 + TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK-ARIA256-GCM-SHA384 + TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE-PSK-ARIA128-GCM-SHA256 + TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE-PSK-ARIA256-GCM-SHA384 + TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA-PSK-ARIA128-GCM-SHA256 + TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA-PSK-ARIA256-GCM-SHA384 + +=head2 Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-RSA-CAMELLIA128-SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-RSA-CAMELLIA256-SHA384 -=head2 Pre-shared keying (PSK) ciphersuites +=head2 Pre-shared keying (PSK) cipher suites PSK_WITH_NULL_SHA PSK-NULL-SHA DHE_PSK_WITH_NULL_SHA DHE-PSK-NULL-SHA @@ -693,11 +700,11 @@ Note: these ciphers can also be used in SSL v3. =head2 TLS v1.3 cipher suites - TLS_AES_128_GCM_SHA256 TLS13-AES-128-GCM-SHA256 - TLS_AES_256_GCM_SHA384 TLS13-AES-256-GCM-SHA384 - TLS_CHACHA20_POLY1305_SHA256 TLS13-CHACHA20-POLY1305-SHA256 - TLS_AES_128_CCM_SHA256 TLS13-AES-128-CCM-SHA256 - TLS_AES_128_CCM_8_SHA256 TLS13-AES-128-CCM-8-SHA256 + TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256 + TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384 + TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256 + TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256 + TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256 =head2 Older names used by OpenSSL @@ -752,11 +759,16 @@ L, L, L The B<-V> option for the B command was added in OpenSSL 1.0.0. +The B<-stdname> is only available if OpenSSL is built with tracing enabled +(B argument to Configure) before OpenSSL 1.1.1. + +The B<-convert> option was added in OpenSSL 1.1.1. + =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L.